#5636 migration of CA-less master to externally signed CA fails on the second step
Closed: Fixed None Opened 8 years ago by mbabinsk.

When migrating CA-less master to a full CA with externally signed CA cert, the first step of the installation works as expected:

# ipa-ca-install --external-ca
Directory Manager (existing master) password:

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/8]: creating certificate server user
  [2/8]: configuring certificate server instance
The next step is to get /root/ipa.csr signed by your CA and re-run /sbin/ipa-ca-install as:
/sbin/ipa-ca-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate

The second step, however, fails with a wrong error message:

# ipa-ca-install --external-cert-file /root/ca.crt --external-cert /root/ipa.crt 
Directory Manager (existing master) password:

CA is already installed on this host.

The problem is in the following check in ipaserver/install/ca.py on line 48, which does not take into account the usage external cert files:

if standalone:
        if cainstance.is_ca_installed_locally():
            sys.exit("CA is already installed on this host.")
        elif api.Command.ca_is_enabled()['result']:
            sys.exit(
                "One or more CA masters are already present in IPA realm "
                "'%s'.\nIf you wish to replicate CA to this host, please "
                "re-run 'ipa-ca-install'\nwith a replica file generated on "
                "an existing CA master as argument." % realm_name
            )

This was tested on IPA server built from 4-2 branch. Other branches should not be affected.

Steps to reproduce:

1.) Install CA-less master

2.) run {{{ipa-ca-install --external-ca}}}

3.) get the generated request and sign it with an external CA

4.) run second step of CA install:

ipa-ca-install --external-cert-file /path/to/IPA/cert --external-cert-file /path/to/external/CA/cert

Expected result:

CA installation proceeds as usual

Actual result:

CA installation in step 4. fails with:

{{{CA is already installed on this host.}}}


master:

  • 72e7261 fix standalone installation of externally signed CA on IPA master

ipa-4-3:

  • 87cd188 fix standalone installation of externally signed CA on IPA master

ipa-4-2:

  • 2438462 fix standalone installation of externally signed CA on IPA master

Metadata Update from @mbabinsk:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.2.4

7 years ago

Login to comment on this ticket.

Metadata